Digital cash aims to mimic the
functionality of paper cash, by providing such properties of anonymity
and transferability of payment. Digital cash is intended to be
implemented data which can be copied, stored, or given as payment (for
example, attached to an email message, or via a USB stick, bluetooth,
etc). Just like paper currency and coins, digital cash is
intended to represent value because it is backed by a
trusted third party (namely, the government and the banking industry).

Most money is already paid in
electronic form; for example, by credit or debit card, and by direct
transfer between accounts, or by on-line services such as PayPal. This
kind of electronic money is not digital cash, because it doesn't have
the properties of cash (namely, anonymous and off-line transferability
between holders).

How
does Digital Cash work?

The figure shows the basic
operation. User A obtains digital cash "coins" from her bank (and the
bank deducts a corresponding amount from her account). The
user is now entitled to use the coins by giving them to another user B,
which might be a merchant. B receives e-cash during a
transaction and see that it has been authorized by a bank. They can
then
pay the cash into their account at the bank.

Ideal properties of a Digital Cash system

Ideal
properties:

Secure.
Alice should be able to pass digital cash to Bob without either
of them, or others, able to alter or reproduce the electronic token.

Anonymous.
Alice should be able to pay Bob without revealing her identity, and
without Bob revealing his identity. Moreover, the Bank should not know
who Alice paid or who Bob was paid by. Even stronger, they should
have the option to remain anonymous concerning the mere existence of
a payment on their behalf.

Portable.
The security and use of the digital cash is not dependent on
any physical location. The cash should be able to be stored on disk or
USB memory stick, sent by email, SMS, internet chat, or uploaded on web
forms. Digital cash should not be restricted to a single, proprietary
computer network.

Two-way.
Peer-to-peer payments are possible without either party required to
attain registered merchant status (in contrast with today's card-based
systems).
Alice, Bob, Carol, and David share an elaborate dinner together at a
trendy restaurant and Alice pays the bill in full. Bob, Carol, and
David each should then be able to transfer one-fourth of the total
amount in digital cash to Alice.

Off-line
capable. The protocol between the two exchanging parties is
executed off-line, meaning that neither is required to be
host-connected in order to proceed. Availability must be unrestricted.
Alice can freely pass value to Bob at any time of day without requiring
third-party authentication.

Wide acceptability. The
digital cash is well-known and accepted in a large commercial zone.
With several digital cash providers displaying wide acceptability,
Alice should be able to use her preferred unit in more than just a
restricted local setting.

User-friendly. The digital
cash should be simple to use from both the spending perspective and the
receiving perspective. Simplicity leads to mass use and mass use leads
to wide acceptability. Alice and Bob should not require a degree in
cryptography as the protocol machinations should be transparent to the
immediate user.

These are ideal properties, and no known system satisfies them all.

Categorization
of payment systems

Implementations of payment systems
that don't satisfy all the requirements may
be conveniently classified according to these criteria:

Anonymous
or identified. Anonymous e-cash works just like real paper cash.
Once anonymous e-cash is withdrawn from an account, it can be spent or
given away without leaving a transaction trail. This however, can be
considered contentious. Identified payment systems such as credit
card payment, or payment by Paypal leave an audit trail, and the
identity of the payee and the payer is known to the Bank, and (usually)
to each other.

Online
or offline. Online means you need to interact with a bank (via a
network) to conduct a transaction with a third party. Offline means you
can conduct a transaction without having to directly involve a bank.

Requiring
a trusted platform. Some protocols may require a trusted platform,
such as a smart card. Smart cards are small plastic cards like credit
cards, bearing a chip. They are tamper-resistant and can force Alice
and Bob to adhere to the protocol. This is convenient for the protocol
designer, but threatens to tie users to proprietary interfaces and to
remove transparency of the system. In contrast, internet protocols
endorsed by the IETF are open and can be interoperably implemented by
anyone.

Two big problems

How can we guarantee
anonymity? If the bank can see which coins it gives to A, and later it
sees the same coins coming back from B. it can infer that A has paid
them to B (possibly via an intermediary).

How can we avoid double
spending? Because electronic files
can be duplicated, a big challenge for digital cash is how to stop
users spending money twice. On-line solutions achieve this by making
the payee check with the bank before acknowledging payment. Off-line
solutions have to use more elaborate methods.

Cryptographic primitives

Some technical concepts are
needed to understand digital cash protocols.

Blind signatures. Suppose
Charlie wants Dianne to sign a message m, but does not want Dianne to
know the contents of the message. This might seem like a strange thing
-- why would Diane sign something without knowing what it is? But the
concept
has useful applications in situations involving anonymity, such as
digital cash. The arrangement works like this:

Charlie "blinds" the message m, with some random number b (the
blinding factor). This results in blind(m,b).

Dianne signs this message, resulting in sign(blind(m,b),d),
where d is Dianne's private key.

Charlie then unblinds the message using b, resulting in
unblind(sign(blind(m,b),d),b). The functions are designed so that this
reduces to sign(m,d), i.e. Dianne's signature on m.

Details of how blind signatures can be implemented using RSA are given
in another lecture.

Secret splitting. Suppose
I have a secret message string m, and I want to give part of it to
Alice and part of it to Bob, in such a way that neither of them
individually can tell anything about the secret, but if they get
together then they can reconstruct it.

One way might be to split the secret string into two parts, m1
and m2, such that m = m1.m2, i.e. concatening m1 and m2 yields m. This
is not very satisfactory because Alice and Bob each learns the first
half or the second half of the message.

A better way is to invent a random number r, and XOR m with r.
Give r to Alice, and m XOR r to Bob. Now neither of them knows anything
about the secret, because each of them has what looks like a completely
random string. However, if they get together, they can obtain m by
calculating r XOR (m
XOR r) -- that is indeed m.

This can be generalised to any number of participants.

Online
Digital Cash

Let's look at how each
component works.

Withdrawing coins

The following protocol is used in order to create a single coin of a
given denomination, say m.

The customer creates k units
of money m. Each unit contains some header information, the
denomination, and a unique serial number. The serial number is randomly
generated and would be long enough so that collision does not take
place (e.g. 64-bit serial number has a probability of collision of 1/264).
So the money would have the format:

The customer blinds each
of them with different binding factors bi, and
sends them to the bank for signing.

The bank randomly chooses k-1
of them to check, and leaves one unit i.

The customer gives the bank all the
blinding factors except the one for unit i

The bank can now check the content
to make sure the customer has not tried to cheat (e.g. by putting an
amount larger than the agreed amount m). There is still a chance that
the bank would not check the unit that is fraudulent but the
probability of this happening deceases as we increase the size of k

If all checks out, the bank signs
the
remaining unit with its private key d
and sends it back to the customer.

The customer un-blinds it by using bi
to obtain the coin mi signed by the bank.

Thus, a coin consists of a signed message from the bank, asserting the
value of the coin. Importantly, the bank does not know the serial
number of the coins. That is how we obtain anonumity.

Spending and depositing coins
These procedures are straight forward. To spend the coins, just give
them to the payee. To redeem them, just give them to the bank. The bank
will check their validity and credit your account.

To
tackle the double spending problem, the payee has to verify the
coin with the bank at the point of sale in each of the transactions.
This verification of the legitimacy of the coin requires extra
bandwidth and is a potential bottleneck of the system especially when
the traffic is high. The real time verification also means there is a
need for the synchronization between bank servers.

Pros and Cons of the online
digital cash system

Here
is the summary of the pros and cons of the online system:

Pros

Provides
fully anonymous and untraceable digital cash:

No
double spending problems (coins are
checked in real time during the transaction).

No
additional secure hardware required

Cons

Communications
overhead between merchant and the bank.

Huge
database of coin records -- the
bank server needs to maintain an ever-growing database for all
the used coins’ serial numbers.

Difficult
to scale, need synchronization between bank servers.

Coins
are not reusable

Offline
Digital Cash

In
the off-line scheme, the withdrawal and disposal of the coins are
very similar to the one in the on-line scheme; the main difference is
in how coins are spent, in order to prevent double-spending without the
need to verify with the bank. This is
achieved by adding an additional component in the model: it is a
trusted party, which performs a digital transformation of the coin when
it is transferred between users. This trusted party may be implemented
as a tamper–resistant device.
In a real
life
example, you could think of it as a smart card reader at the point
of sale, although note that it is not required to be on-line. The
device is trusted by the bank and by users, and is used to
verify the
authenticity of the coin and to address the double-spending problem. It
does not prevent users from double-spending, but it provides a means to
trace them if they do double-spend. This has to be carefully designed,
in order to keep anonymity. Secret splitting is used to allow the user
to
be anonymous as long as he/she doesn’t double spend. Details are given
below.

In
this system, coins are reusable. The merchant can spend the coin
elsewhere with other
parties through another tamper-resistant device before the coin
is finally deposited back to the bank for verification.

In
additional to the secret splitting method, in order to add extra
security to the offline system, there could be a link between the
bank and the temper-resistant device which allows the T.R.D. to
download a blacklist of double spenders in a set period of time when
the traffic is low. This reduces the chance of people double spending
their money in the first place.

How
off-line protocol works

A
coin will contain the following:

Serial
number – a unique number that identifies the coin

Denomination
– the actual value of the coin

Validity
Period

Transaction
list – has an arbitrary number of transaction items.

Withdrawing and depositing the coins is the same as in the on-line
method, but spending the coins is different.

A
transaction item is created when the coin is transferred between the
customer and the merchant. Each transaction item consists of n
pairs. A pair (p1,p2) is the identity of a user, split into two parts
using the secret splitting idea described above. The transaction list
consists of k transaction items. In all but the last one, half of each
pair has been blanked out.

Thus, a transaction list might
look like this:

P1

P2

ALI

---

---

ICE

---

E

BO

---

---

OB

B

---

CHA

RLIE

CH

ARLIE

CHARL

IE

If
P1 and P2 are XORed the original id of the user will be revealed. But
only the last owner can be seen, "CHARLIE". Note that secret sharing is
done with XOR, not concatenation. Concatenation is used for
illustration just to make the picture readable. There is no way the
identities of ALICE and BOB can be extracted from the transaction list.

When
a user spends their money, the protocol will randomly blank some of
P1 and some of the P2 for the current owner, and adds another list of
P1 and P2 for the new owner.

How
does this detect double spending?

If
a user makes a copy of a coin before they spend it, they have the
possibility to spend that coin again. However, when the coin is
finally returned to the issuer, it will be possible to discover the
culprit. This is achieved by combining a particular part of the
identity from the original coin with its corresponding part from the
copied coin. Note that the corresponding part will have been blanked
out in the original coin.

The
probability of catching a user

The
probability of catching a user depends on the number of identity
pairs used in the transaction. The more pairs used, the greater the
chance of catching the culprit. The probability of catching the
culprit is:

1-½n

Where
n is the number of pairs used.

Example,
if n=5 then the chance of catching a user is 0.97. If n=20, it is more
than 0.00000095; in that case, a double-spender would have only one
chance in a million of not being caught.

Memory
requirements

By
allowing more than one person to use the same coin, there will be
extra data appended to the coin ‘file’. Thus, the size of this file
will be ever growing. A possible
solution to this is to have a maximum number of transactions. This
would limit the number of ID’s added to the file. No more
transactions can take place once the maximum has been reached, and
the coin must be banked.

Also
to prevent the banks database of serial numbers there maybe a
validity period (or expiration date) associated with the coin, and
then the coin will no longer be able to be banked. This would allow
the bank to ‘clean-up’ its database of invalid serial
numbers.

Pros and Cons of the offline
digital cash system

Pros

Off-line,
portable scheme

User
is fully anonymous unless double spends

Bank
can detect double spender (with high probability)

Banks
don’t need to synchronize database in each transaction.

Coins
are reusable

Cons

Might
not prevent double spending immediately

More
expensive to implement - the extra security hardware needed in
the system requires an
additional cost.

Policy considerations

There
is a lot of concern regarding the anonymity of digital cash with
respects to illegal activities. For example it can be used for money
laundering and ransom demands without being able to trace the
culprit. There are proposals/solutions
that overcome this intractability, involving identity escrow and
trusted parties.

One
of these solutions is to have a trusted third party in the
transaction on money. In the below diagram it is called a judge. The
judge would have access to either the massage-signature pair or the
signer’s view of his protocol. With this information and the
information from either the sender or signer the culprit can be
traced.

However, digital cash has not taken off,
in contrast with other electronic payment systems such as Paypal.

Paypal

Paypal is not "digital cash", because it doesn't attempt to provide
properties similar to cash (anonymity, off-line usage). Instead, it
aims to replace credit cards, and is much more secure. In contrast with
credit cards, Paypal payees do not have to have merchant status. Thus,
it is attractive to private individuals selling at auctions.

Digital cash was invented by David Chaum in 1988. In
1990 he founded DigiCash, a
pioneering firm in the area, but attracted only $160k US dollar in two
years, declared bankruptcy in 1998, and was bought by eCash
Technologies.
Now eCash is having its own troubles and has been bought by another
company
called InfoSpace.

PayPal was founded in December 1998. Adopting
aggressive marketing
campaigns offering $10 (and later $5) for new users to sign up, the
firm grew at a meteoric rate of 7–10 percent per day between January
and March 2000. In October 2002 PayPal was acquired by eBay.
PayPal had previously been the payment method of choice by over fifty
percent of eBay users, and the service competed with eBay's subsidiary
BillPoint. eBay has phased out its BillPoint service in favor of
retaining the PayPal brand. PayPal's only substantially similar
competitor is now BidPay, after Citibank's c2it service closed in
late 2003, and Yahoo!'s PayDirect service closed in late 2004. In 2004,
the total value of transactions through the PayPal system
was $18.9 billion, up 55% year over year. As of the end of Q2 2005,
PayPal operates in 57 countries (including
China) and it manages over 78.9 million accounts. Every second PayPal
processes an average of $823 in total payment volume. (This information
is extracted from Wikipedia.)

Conclusion

The
elimination of physical cash from our economy is already feasible
from a purely technological perspective. However, substantial
additional investment in
equipment and cards would be needed to permit even purchases such
soft drinks to be made.

But
transactional privacy is at the heart of critics' attack
on digital cash. Because it’s untraceable,
there are concerns about money laundering, offshore banking and tax
havens, and
has been closely monitoring developments of digital cash. Investors
don’t
have confidence in the development of digital cash. In contrast,
non-anonymous, on-line payment systems like Paypal are enjoying huge
success.

Questions to consider - just to check that you understand what this is
about!

What if Alice and Bob1 and Bob2 conspire together to achieve
double spending by Bob1 and Bob2 picking the same random numbers to
hide Alice's identity?

References

David Chaum, Amos Fiat and
Moni Naor, "Untraceable
Electronic Cash", in Advances in Cryptology -
CRYPTO '88 Proceedings
This paper describes an off-line system which doesn't require any
trusted hardware, but coins can only be used once.